Usable Security in Practice: Collaborative Management of
Electronic & Physical Personal Information
Laurian Vega
Center for Human-Computer Interaction
2202 Kraft Drive
Virginia Tech, VA, USA
Laurian@vt.edu
Keywords
H.5.3 [Information Interfaces & Presentation]: Computer
Supported Cooperative Work, Theory & Models, Organizational
Design; K.5.6 [Management of Computing & Information
Systems]: Security and Protection
1. SECURITY & WORK PRACTICE
Traditionally, electronic and physical security was conceptualized
as rules, locks, and passwords. More recently, security research
has explored how security is part of a larger socio-technical
system [8] that involves people using technologies and their
environments to create safe praxis. When examining security as
one part of this system, or as a supporting mechanism, issues of
trust [6], privacy [2, 4], and negotiation start to appear: trust,
because interpersonal relationships are relied upon to work
effectively together; privacy, because people are working with
information or details that are sensitive; and, negotiation, because
the rules or standards that groups are working within encounter
breakdowns or instances where rules are not clearly defined [7]
thus requiring changes to be mediated.
In my dissertation studies I focus on one type socio-technical
system in two instantiations. The type of socio-technical system I
will be studying is one in which groups coordinate and manage
their clients’ personal information through physical and
technological mechanisms. The two instantiations that I will
explore are childcare centers and medical centers. In childcare
centers workers care for and manage the enrolled children and
also the enrolled child’s personal information. In medical centers
workers manage the patients health along with the patients health
information. The use of two areas allows for generalization across
similar work environments while also exploring different
dimensions (e.g. routines, legislation).
The problem with security policies is that they are often only
secure in principle. They are seldom secure in practice” [4].
Practice is what happens in the moment; it is the activity; it is
what is actually done. There is a tension that exists between work
practice and security. There has been a plethora of research that
has demonstrated that when security policies or mechanisms are
not appropriately designed to support work practice, security
breaks down (e.g., creating work-arounds such as writing
passwords on post-it notes, or as was observed in the pilot studies
– shouting passwords) [1, 3, 5]. When a breakdown occurs,
though, in a social system, workers do not stop doing work. They
create special cases or methods that allows them to continue –
sends in the policies. In this sense, social systems are intrinsically
flexible. When we start to think about electronic systems, the
reverse is true: electronic systems work according to pre-encoded,
deterministic rules. It is for this reason that there exists a need to
study and understand how socio-technical systems manage
security practice.
Responding to the need for research in this area, my research
question is: how do socio-technical systems that use sensitive
personal information manage work-practice breakdowns
surrounding the implicit and explicit rules of process? I have
further broken this down into three sub-questions:
· What are the implicit and explicit rules surrounding how
medical practices and childcares handle sensitive personal
information?
· What breakdowns happen when the explicit and implicit
rules are not followed?
· How are breakdowns accounted for, negotiated, and
managed in socio-technical systems where sensitive personal
information exists?
2. METHODOLOGY
I will be focusing on breakdowns in the practice of explicit and
implicit policies through the lens of Activity Theory. Implicit and
explicit policies are the cultural norms that exist in the socio-
technical system to support work practices. Dourish et al. [5] go
as far as to emphasize the importance of both explicit and implicit
guarantees in their definition of security: security is “the ability of
users to express and rely upon a set of guarantees that the system
may make, explicitly or implicitly, about its treatment of user data
and other resources” (p392, emphasis added). By focusing on the
breakdowns that occur with explicit and implicit policies I will be
able to study how socio-technical systems manage system
perturbations. This management of perturbations is an intrinsic
strength of human-mediated security systems, and one
characteristic that technical systems fail to properly incorporate
[6].
Pending approval from the Virginia Tech Institutional Review
Board, month-long active-participant observations will be
employed. For these I will be volunteering half days of work at
both a childcare and medical center. The pilot data and resulting
data from the month long observations will form the basis for the
overall findings of this study. Daily observation logs will be kept
along with audio recordings and appropriate pictures of
representative artifacts. Key parts of the audio recordings will be
transcribed verbatim. Breakdowns will then be coded to produce
an emergent understanding of how the socio-technical system
employs security in practice. The use of observations and
interviews from key stakeholders should provide a complete story.
3. PILOT STUDIES & RESULTS
Four pilot studies were conducted to explore security issues
involved in the practice of collaborative sensitive information
management: 12 interviews of childcare directors, 13 interviews
of medical center directors, follow-up interviews with 4 childcare
directors, and two to three observations in 4 childcares. All
interviews and observations were transcribed. All participants
were from the southwest area of Virginia. All directors were
recruited through a comprehensive list of all area businesses; the
response rates were 55% for childcares, and 26% for medical
practices- not including the hospitals.
Three sample findings in regards to explicit and implicit policies
that govern the collaborative management of sensitive information
are: Human-mediated Access Management, Community of Trust,
and Information Redundancy.
Human-mediated Access Management. In the case of
childcares, there are instances when teachers or parents want to be
able to look at a file. One director said, “When a teacher comes in
and wants access to a file they have to come through me first and
they have to tell me their reason basically, you know, why do you
need to go in there?” This director is explaining how she monitors
access to the files in a method that is more than simply checking
access rights to information. She is additionally checking the
teacher’s goal, which extends into managing information privacy.
The director’s function is to mediate the information seeker’s goal
in a way that is flexible, negotiated, and determined in a case-by-
case fashion to best balance the need for information for work
with need to keep information private.
Community of Trust. To balance the need for access to
information with the need to keep information secure,
communities of trust emerged within the centers we studied. One
aspect of security that we asked about was the use of passwords.
Computers, when used for accessing patient information, were
generally in the director’s space, or the doctor’s office. Of those
medical centers that used electronic systems, only seven (29%)
had individual passwords. When asked why, a director said,
“They can access anything. That’s their job.” This statement
emphasizes that to be able to do the work required for the job
security access needs to be relaxed on the basis of trust. Another
example comes from the locking of physical filing cabinets. It is
the official policy that filing cabinets containing files should be
locked when the director is absent: “[files are] all kept in here in a
cabinet that's locked when I’m not here and the door is locked as
well.” The use of a key was, however, never observed.
Information Redundancy. Beyond the physical file containing
information about a child or patient, there is information kept in
other locations. From a security perspective having only one
instance to protect is the simplest case. When information,
however, becomes dispersed to better support individual practice,
security becomes more difficult to manage due to numerous
access points. In both medical and child practices there were
instances where information was outside the file and distributed in
the environment. These include having a physical and an
electronic file, having a file for billing and a file for medical
history, having files for one patient between two medical centers,
having information on hand in different spaces, and having
electronic copies stored in an off-site location. One director
explains duplicating information in multiple office locations, “We
fax patient information back and forth... That happens hundreds of
times a day…. Always with the big disclaimer this is medically
protected information, and this is intended for so-and-so only.”
She explains that someone then files the appropriate information
and the remainder is shredded. This duplication of information
functions to make sure that information is ready at hand when
necessary for work and ensures that if the information is lost it is
reproducible. Understanding what information is going to be kept
in what space or form, and who has access to those instances is
something that is determined by the function of the information
and also the context surrounding the information use.
4. CONTRIBUTIONS OF RESEARCH
This work will benefit the security, the usable security, and the
trust community within human-computer interaction by detailing
a deep exploration of how communities manage explicit and
implicit policies. The results from this body of work will be a set
of properties that will help the design community to create
technology and tools to support secure work practice.
A second benefit from this work will be the conceptualization of
security as more than rules. The application of the Activity
Theory framework provides a lens for examining how groups
internalize and externalize the constructs of security, trust, and
privacy. Activity theory literature on breakdowns will provide
additional methods of analysis to the security literature.
Additionally, there has been a dearth of research studying how
groups manage and coordinate security and put these constructs
into practice. This work will add to that body of literature and
understanding.
5. RESEARCH PHILOSOPHY
I have found that research needs to be balanced between
theoretical and practical. I have tried to balance studies of
technology in relation to constructs like trust and privacy in theory
but also in real-world situations for my dissertation. I also believe
in continuous discussion and reading to stimulate new ideas and
encourage knowledge. Last, research needs to be only one part of
a researcher’s life. A researcher should have additional interests to
prevent single mindedness. My work on recruitment and retention
of women in science and engineering along with my continual
efforts to balance work and life reflect this belief.
6. RELATED PUBLICATIONS
This is a short list of related publications. Please see my website
www.laurianvega.com for a full list of publications.
[1] Thomas P. Moran, Tara M. Matthews, Laurian Vega, Barton
Smith, James Lin, Stephen Dill. “Ownership and Evaluation
of Local Process Representations”. Published in the
Proceedings of INTERACT 2009, the 12th IFIP Conference
in Human-Computer Interaction, August 24-28, Uppsala,
Sweden.
[2] Peggy Layne, Laurian Vega. ADVANCE Portal Website. A
poster and presentation presented at 2009 Joint Annual
Meeting: Innovation and Leadership through a Diverse
STEM Workforce, June 8-11th, Washington D.C., USA.
[3] Laurian Vega, Yeong-Tay Sun, D. Scott McCrickard. “Trust,
Learning, and Usability”. A poster to Grace Hopper
Celebration of Women in Computing, September 30 -
October 3, Tucson, Arizona.
[4] Gregorio Convertino, Dennis Neale, Laurian Hobby, John M.
Carroll, Mary Beth Rosson. "A Laboratory Method for
Studying Activity Awareness." In Proceedings of the third
Nordic conference on Human-computer interaction, p.313 -
322, Tampere Finland, October 2004
7. REFERENCES
[5] Adams, A. and A. Blandford, Bridging the Gap Between
Organizational and User Perspectives of Security in the
 Clinical Domain. International Journal of Human-Computer
Studies, 2005. 63(1-2): p. 175-202.
[6] Adams, A., A. Blandford, D. Budd and N. Bailey,
Organizational communication and awareness: a novel
solution for health informatics. Health Informatics Journal,
2005. 11(3): p. 163-178.
[7] Adams, A. and M.A. Sasse, Users Are Not the Enemy, in
Communications of the ACM. 1999. p. 40-46.
[8] Bellotti, V. and A. Sellen. Design for Privacy in Ubiquitous
Computing Environments. Proceedings of the Third
Conference on European Conference on Computer-
Supported Cooperative Work. 1993: Kluwer Academic
Publishers.
[9] Dourish, P., E. Grinter, J.D.d.l. Flor and M. Joseph, Security
in the Wild: User Strategies for Managing Security as an
Everyday, Practical Problem. Personal Ubiquitous
Computing, 2004. 8(6): p. 391-401.
[10] Flechais, I., J. Riegelsberger and M.A. Sasse. Divide and
Conquer: The Role of Trust and Assurance in the Design of
Secure Socio-Technical Systems. in Proceedings of the 2005
Workshop on New Security Paradigms. 2005. Lake
Arrowhead, California: ACM.
[11] Kobayashi, M., S.R. Fussell, Y. Xiao and F.J. Seagull. Work
coordination, workflow, and workarounds in a medical
context. Conference on Human Factors in Computing
Systems (CHI'07). 2005. Portland, OR, USA: ACM Press,
New York, New York.
[12] Mamykina, L. and E.D. Mynatt. Investigating and supporting
health management practices of individuals with diabetes.
Proceedings of the 1st ACM SIGMOBILE international
workshop on Systems and networking support for healthcare
and assisted living environments. 2007. San Juan, Puerto
Rico: ACM.